Hack of billion-dollar Norwegian firm is tied to Chinese espionage group APT10

The research underscores APT10's global reach and interest in the supply chain.
china national vulnerability database

Weeks after the Department of Justice announced the indictment of two men linked with a Chinese state-sponsored hacking group, security researchers say they have uncovered a cyber-espionage campaign by the same entity against a European software company, a U.S. law firm, and a global apparel company.

Analysts at Recorded Future and Rapid7 tracked the hacking operation between November 2017 and September 2018, and publicly revealed the breaches Wednesday.

The researchers assessed with “high confidence” that APT10, a group tied to China’s civilian intelligence agency, was responsible for the hacking, calling the group “the most significant Chinese state-sponsored cyber threat to global corporations known to date.”

Only one of the three victims is named: Visma, a billion-dollar Norwegian software company that claims 850,000 customers around the world. The hackers likely breached Visma to gain access to other organizations’ networks, the researchers said, but targeted the law and apparel firms “to gather information for commercial advantage.”


Visma said it worked with Rapid7 to identify and mitigate the breach, and Recorded Future to investigate further. “In this case, no client data was compromised, and Visma chose not to issue a general alert before they had conclusive evidence on who performed the theft,” the Norwegian company said in a statement.

The breached law firm has “strong experience in intellectual property law,” with clients in the pharmaceutical, car, and electronics sectors, among others, according to Recorded Future and Rapid7.

The attackers were consistent in their methods. In all three breaches, they broke in via remote-access software using stolen credentials, the researchers said. The hackers then escalated their privileges and used a “side-loading” technique, which includes an encoded payload file. The U.S. Department of Homeland Security issued a warning about that technique in a 2017 industry advisory.

U.S. officials have identified APT10 as a persistent threat to American companies, and have intensified efforts to raise awareness through legal action and public advisories. U.S. prosecutors in December announced charges against two alleged APT10 members for a hacking spree against more than 45 companies and government agencies, from pharmaceutical firms to the U.S. Navy. The indictment helped security researchers more firmly attribute the espionage operation revealed Wednesday to APT10.

“The list of victim companies reads like a who’s who of the global economy,” FBI Director Christopher Wray said in announcing the indictment.


The Chinese government, which rejected the charges as “slanderous,” has long denied that it carries out cyber-enabled economic espionage.

Later on Wednesday, DHS plans to brief companies on APT10’s compromise of IT service providers, which offer a valuable foothold for hackers looking to steal trade secrets.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts